Using Service-Linked Roles for
Amazon Redshift

Amazon Redshift uses AWS Identity and Access Management (IAM)
service-linked roles. A service-linked role is a unique type of IAM role that is
linked directly to Amazon Redshift. Service-linked roles are predefined by Amazon
Redshift and
include all the permissions that the service requires to call AWS services on behalf
of your
Amazon Redshift cluster.

A service-linked role makes setting up Amazon Redshift easier because you don’t have
to
manually add the necessary permissions. The role is linked to Amazon Redshift use
cases and has
predefined permissions. Only Amazon Redshift can assume the role, and only the service-linked
role can use the predefined permissions policy. Amazon Redshift creates a service-linked
role in
your account the first time you create a cluster. You can delete the service-linked
role only
after you delete all of the Amazon Redshift clusters in your account. This protects
your Amazon
Redshift resources because you can't inadvertently remove permissions needed for access
to the
resources.

For information about other services that support service-linked roles, see AWS Services That Work with
IAM and look for the services that have Yes in the
Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that
service.

Creating a Service-Linked Role for
Amazon Redshift

You don't need to manually create an AWSServiceRoleForRedshift service-linked role.
Amazon
Redshift creates the service-linked role for you. If the AWSServiceRoleForRedshift
service-linked role has been deleted from your account, Amazon Redshift creates the
role when
you launch a new Amazon Redshift cluster.

Important

If you were using the Amazon Redshift service before September 18, 2017, when it began
supporting service-linked roles, then Amazon Redshift created the AWSServiceRoleForRedshift
role in your
account. To learn more, see A New
Role Appeared in My IAM Account.

Editing a Service-Linked Role for
Amazon Redshift

Amazon Redshift does not allow you to edit the AWSServiceRoleForRedshift service-linked
role. After you
create a service-linked role, you can't change the name of the role because various
entities
might reference the role. However, you can edit the description of the role using
the IAM
console, the AWS Command Line Interface (AWS CLI), or IAM API. For more information,
see
Modifying a Role in the IAM User Guide.

Deleting a Service-Linked Role for
Amazon Redshift

If you no longer need to use a feature or service that requires a service-linked role,
we recommend that you delete that role. That way you don’t have an unused entity that
is not
actively monitored or maintained.

Before you can delete a service-linked role for an account, you need to shut down
and
delete any clusters in the account. For more information, see Shutting Down and Deleting
Clusters.

You can use the IAM console, the AWS CLI, or the IAM API to delete a service-linked
role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.